Bug 127054 - pam_unix.so nullok overrides PAM_DISALLOW_NULL_AUTHTOK flag
pam_unix.so nullok overrides PAM_DISALLOW_NULL_AUTHTOK flag
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-01 01:10 EDT by Darren Tucker
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: pam-0.77-56
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-20 10:49:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ignore-disallow-nullauthtok.c: testcase for flag ignoring bug. (1.19 KB, text/plain)
2004-07-01 01:13 EDT, Darren Tucker
no flags Details
Proposed patch (701 bytes, patch)
2004-09-08 11:35 EDT, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Darren Tucker 2004-07-01 01:10:51 EDT
Description of problem:
If the pam_unix.so "nullok" flag is present (which it is by default on
FC) then the PAM effectively ignores pam_authenticate()'s
PAM_DISALLOW_NULL_AUTHTOK flag.

This seems wrong, since the correct thing would appear to be to use
the more restrictive of the two (ie nullok &&
!PAM_DISALLOW_NULL_AUTHTOK).  It means that a PAM-using application
may permit access without authentication even though it has explicitly
requested that this not be allowed (hence severity of "security").

I will attach a testcase (which requires a user "testuser" with no
password in order to work).

Version-Release number of selected component (if applicable):
pam-0.77-40

How reproducible:
Always

Steps to Reproduce:
1. Ensure pam_unix in /etc/pam.d/system-auth contains the "nullok"
flag (this the default).
2. Call pam_authenticate with the PAM_DISALLOW_NULL_AUTHTOK flag (such
as attached testcase).
3. Note that it succeeds without further authentication.
    
Actual Results:
$ gcc ignore-disallow-nullauthtok.c -lpam
$ sudo ./a.out
NOTE: this test requires a user 'testuser' with no password
pam_start result 0 (Success)
pam_authenticate result 0 (Success)
FAIL: Authentication allowed despite DISALLOW_NULL_AUTHTOK

Expected Results:
$ sudo ./a.out
NOTE: this test requires a user 'testuser' with no password
pam_start result 0 (Success)
pam_authenticate conversation my_conv1 called
pam_authenticate result 7 (Authentication failure)
PASS: did not permit authentication

Additional info:
Comment 1 Darren Tucker 2004-07-01 01:13:24 EDT
Created attachment 101553 [details]
ignore-disallow-nullauthtok.c: testcase for flag ignoring bug.
Comment 2 Tomas Mraz 2004-09-08 11:33:29 EDT
I will attach a patch for this.
Comment 3 Tomas Mraz 2004-09-08 11:35:07 EDT
Created attachment 103588 [details]
Proposed patch
Comment 4 Tomas Mraz 2004-09-20 10:49:12 EDT
It's in.

Note You need to log in before you can comment on or make changes to this bug.